Cache object-level permissions on the User instance for evaluation

2024-05-10 07:54:54 +00:00 · 2020-05-12 15:42:44 -04:00
parent daa2c6ff21
commit c90f680284
3 changed files with 76 additions and 32 deletions
--- a/netbox/netbox/authentication.py
+++ b/netbox/netbox/authentication.py
@ -1,32 +1,50 @@
 from django.contrib.auth.mixins import AccessMixin
-from django.contrib.contenttypes.models import ContentType
-from django.db.models import Q
+from django.core.exceptions import ImproperlyConfigured

 from users.models import ObjectPermission


 class ObjectPermissionRequiredMixin(AccessMixin):
+    """
+    Similar to Django's built-in PermissionRequiredMixin, but extended to check for both model-level and object-level
+    permission assignments. If the user has only object-level permissions assigned, the view's queryset is filtered
+    to return only those objects on which the user is permitted to perform the specified action.
+    """
    permission_required = None

    def has_permission(self):
+        # First, check whether the user is granted the requested permissions from any backend.
+        if not self.request.user.has_perm(self.permission_required):
+            return False

-        # First, check whether the user has a model-level permission assigned
-        if self.request.user.has_perm(self.permission_required):
+        # Next, determine whether the permission is model-level or object-level. Model-level permissions grant the
+        # specified action to *all* objects, so no further action is needed.
+        if self.permission_required in self.request.user._perm_cache:
            return True

-        # If not, check for object-level permissions
-        app, codename = self.permission_required.split('.')
-        action, model_name = codename.split('_')
-        model = self.queryset.model
-        attrs = ObjectPermission.objects.get_attr_constraints(self.request.user, model, action)
-        if attrs:
-            # Update the view's QuerySet to filter only the permitted objects
-            self.queryset = self.queryset.filter(**attrs)
-            return True
-
-        return False
+        # If the permission is granted only at the object level, filter the view's queryset to return only objects
+        # on which the user is permitted to perform the specified action.
+        if self.permission_required in self.request.user._obj_perm_cache:
+            attrs = ObjectPermission.objects.get_attr_constraints(self.request.user, self.permission_required)
+            if attrs:
+                # Update the view's QuerySet to filter only the permitted objects
+                self.queryset = self.queryset.filter(**attrs)
+                return True

    def dispatch(self, request, *args, **kwargs):
+        if self.permission_required is None:
+            raise ImproperlyConfigured(
+                '{0} is missing the permission_required attribute. Define {0}.permission_required, or override '
+                '{0}.get_permission_required().'.format(self.__class__.__name__)
+            )
+
+        if not hasattr(self, 'queryset'):
+            raise ImproperlyConfigured(
+                '{} has no queryset defined. ObjectPermissionRequiredMixin may only be used on views which define '
+                'a base queryset'.format(self.__class__.__name__)
+            )
+
        if not self.has_permission():
            return self.handle_no_permission()
+
        return super().dispatch(request, *args, **kwargs)